From d3b5b63d0fa43228ba6fee1fff9cb34dd191e9ed Mon Sep 17 00:00:00 2001 From: Clemens Backes Date: Fri, 6 Aug 2021 18:09:46 +0200 Subject: [PATCH] [isolate] Increase allowed stack overflow for sanitizer builds C++ frames can get quite big in sanitizer builds. In the linked bug it was an ASan debug build, which overflowed the stack by more than 8kB just from C++ frames (when entering the runtime, there was no overflow yet). Hence increase the allowed stack overflow a bit for sanitizer builds, from 8kB to 32kB. R=jkummerow@chromium.org Bug: chromium:1236560 Change-Id: I119fdb859f7ab5e6a0a4174cf79f0a16baa39432 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3078359 Reviewed-by: Jakob Kummerow Commit-Queue: Clemens Backes Cr-Commit-Position: refs/heads/master@{#76142} --- src/execution/isolate.cc | 6 ++++++ test/mjsunit/regress/regress-1236560.js | 11 +++++++++++ 2 files changed, 17 insertions(+) create mode 100644 test/mjsunit/regress/regress-1236560.js diff --git a/src/execution/isolate.cc b/src/execution/isolate.cc index acd7edaef5..9755f917bd 100644 --- a/src/execution/isolate.cc +++ b/src/execution/isolate.cc @@ -1399,7 +1399,13 @@ Object Isolate::StackOverflow() { // frames until we reach this method. // If this DCHECK fails, one of the frames on the stack should be augmented by // an additional stack check. +#if defined(V8_USE_ADDRESS_SANITIZER) || defined(MEMORY_SANITIZER) + // Allow for a bit more overflow in sanitizer builds, because C++ frames take + // significantly more space there. + DCHECK_GE(GetCurrentStackPosition(), stack_guard()->real_climit() - 32 * KB); +#else DCHECK_GE(GetCurrentStackPosition(), stack_guard()->real_climit() - 8 * KB); +#endif if (FLAG_correctness_fuzzer_suppressions) { FATAL("Aborting on stack overflow"); diff --git a/test/mjsunit/regress/regress-1236560.js b/test/mjsunit/regress/regress-1236560.js new file mode 100644 index 0000000000..987f348aad --- /dev/null +++ b/test/mjsunit/regress/regress-1236560.js @@ -0,0 +1,11 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +let obj = {}; +let arr = new Uint8Array(3); +function __f_0() { + arr[2] = obj; +} +obj.toString = __f_0; +assertThrows(() => obj.toString(), RangeError);